Return-Path: 
 <dev-return-85980-apmail-ofbiz-dev-archive=ofbiz.apache.org@ofbiz.apache.org>
X-Original-To: apmail-ofbiz-dev-archive@www.apache.org
Delivered-To: apmail-ofbiz-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A53D617707
	for <apmail-ofbiz-dev-archive@www.apache.org>;
 Wed, 25 Mar 2015 00:45:54 +0000 (UTC)
Received: (qmail 78675 invoked by uid 500); 25 Mar 2015 00:45:54 -0000
Delivered-To: apmail-ofbiz-dev-archive@ofbiz.apache.org
Received: (qmail 78625 invoked by uid 500); 25 Mar 2015 00:45:54 -0000
Mailing-List: contact dev-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@ofbiz.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@ofbiz.apache.org>
List-Post: <mailto:dev@ofbiz.apache.org>
List-Id: <dev.ofbiz.apache.org>
Reply-To: dev@ofbiz.apache.org
Delivered-To: mailing list dev@ofbiz.apache.org
Received: (qmail 78394 invoked by uid 99); 25 Mar 2015 00:45:54 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Mar 2015 00:45:54 +0000
Date: Wed, 25 Mar 2015 00:45:54 +0000 (UTC)
From: "Forrest Rae (JIRA)" <jira@apache.org>
To: dev@ofbiz.apache.org
Message-ID: <JIRA.12785353.1427239740000.17494.1427244354243@Atlassian.JIRA>
In-Reply-To: <JIRA.12785353.1427239740000@Atlassian.JIRA>
References: <JIRA.12785353.1427239740000@Atlassian.JIRA>
 <JIRA.12785353.1427239740720@arcas>
Subject: [jira] [Updated] (OFBIZ-6207) Anyone can view any Request or Quote
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Forrest Rae updated OFBIZ-6207:
-------------------------------
    Attachment: OFBIZ-6207-second-attempt.patch

I just attached OFBIZ-6207-second-attempt.patch.  This patch should work cleaner.

> Anyone can view any Request or Quote
> ------------------------------------
>
>                 Key: OFBIZ-6207
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6207
>             Project: OFBiz
>          Issue Type: Bug
>          Components: specialpurpose/ecommerce
>    Affects Versions: Trunk, 13.07.01
>            Reporter: Forrest Rae
>            Priority: Critical
>              Labels: security
>         Attachments: OFBIZ-6207-second-attempt.patch, OFBIZ-6207.patch
>
>
> This is a security bug in the ecommerce application.  Anyone can view any quote or request in the system regardless of the associated partyId.  They can do this via URL parameter manipulation.
> Reproduction:
> 1) Login to the ecommerce application as DemoCustomer.
> 2) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 to view your own request.
> 3) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 to view DemoCustAgent's request.
> 4) Navigate to http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 to view DemoCustomer2's request.
> Same goes for Quotes, although there are no quotes in the Demo data.  The attach patch fixes this issue.
> Would like this issue back ported to release 13.07 please.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)